returnreturn
Follina a silent Client-Side

By:
Mariano Quintana
(Cybersecurity Researcher & Trainer)

SHARE

Twitter Facebook linkedin
References
GENERAL Jun 13, 2023  •  47' READ

OWASP Guide to APIs 2023

As developers and/or responsible for the security of a company, application, information and a long etcetera, we must be able to define the limit of right and wrong when building and designing the security architecture of it, often happens that in the process we forget to take into account the most common mistakes made by other developers or that we also forget the main interests of the attackers. If we were to keep up to date on our own, it would be a titanic task since the vulnerabilities and the attackers' interests for new ones, have an exponential rate of variations.

This raises several questions when it comes to proposing a secure design of a web application, web service and/or mobile application; One could easily say that the most convenient thing to do would be to put together a list of the most known vulnerabilities based on personal experience, but there we would only be taking into account a single view of the situation, although it is desirable that companies have a history of previous vulnerabilities or failures to be able to apply them to continuous improvement, it is also true that this history will be based on a single type of architecture and/or a single type of application. In the short term, this may not have an impact at the enterprise level, but if the enterprise is constantly immersed in innovation processes, as it should be, it will always find itself in the dilemma of constantly changing the architecture and proposing improvements to the usual processes developed on a daily basis, leading it to implement new functionalities and new technologies that could be at risk under the perspective of this history (based on an obsolete architecture).

That is where we need to start from scratch, which will provide us with new points of view. Why invest efforts in gathering statistics and building history if there may be someone who has done the same thing before but not only referring to a particular architecture, but also to many situations that have occurred applied to different fields.

The case I mention is the case of OWASP, (Open Worldwide Application Security Project). A project that arose out of the need to highlight the most common interests of attackers based on the mistakes that developers make throughout the software development cycle, the OWASP community is made up of companies, educational organizations and individuals from all over the world. Together they form a computer security community that works to create articles, methodologies, documentation, tools and technologies that are freely-available and can be used by anyone. Updating the main trends, as a consequence of the existing improvements in secure development processes. This organization that was born focused on errors associated with web applications, today has several versions to its credit, typifying the most exploited vulnerabilities and grouping them according to the nature of the application. We currently have OWASP Web, OWASP Mobile, and OWASP API, which will be detailed in this article: OWASP - API 2023

A fundamental element of innovation in today's application-driven world is the application programming interface (API). From banking, retail, transportation to IoT, autonomous vehicles and smart cities, APIs are a fundamental part of modern mobile, SaaS and web applications so as they are commonly encountered at the client level they are becoming a prime target for attackers, in the face of carelessness in implementing them.

While the concept of an API is simple, a service that is providing a resource and an interface on the other side consuming the various features, as shown in the image;


Most developers omit the process of securing them, perhaps because of a false sense of security that leads them to think that an attacker, unaware of how it works, will not target these services because they are outside the attack surface. When in fact the opposite is true.

The following are the 10 most frequent vulnerabilities in this area:

API1 - Broken Object Level Authorization

Object level authorization is an access control mechanism, usually implemented at the code level, in charge of validating that a user accesses only the objects he is allowed to access. Assuming the case that a user presents his credentials to the interface hosted on the phone and then he himself wants to access another resource provided by the service, as follows:


If the system returns to the user any object without validating that the user has permissions to perform the requested action on the requested object, we are in the presence of a Broken Object Level Authorization, so an attacker can access any object without problems.


API2 - Broken Authentication

This flaw, also common in web applications, can manifest itself in several vulnerabilities because when we face an API endpoint, there is an initial challenge to be able to consume it and start exchanging resources.

There are several cases where this may occur:

  • Whether the API allows Credential Stuffing attacks, where attackers use known credentials from accounts and/or usernames leaked in some recent leak.
  • If the API allows weak passwords or weak authentication mechanisms such as: Basic Authentication.
  • If the API exchanges data via GET parameters, it would allow authentication data leakage through the idle memory hosted on the victim's device.
  • If JWT tokens are used but are not validated throughout the transaction.
  • If the tokens used do not have the correct expiration date configured.
  • If the endpoint has no protection against brute force attacks (poor or no captcha implementation).
  • If weak algorithms are used for data encryption, at rest and in transit.

Potential scenario:

  • An attacker invokes the reset-password module which results in the invocation of a module similar to this /api/v1/reset-password.


  • Then the API automatically sends a reset command for the 456 user, as a result of which the service sends a 5-digit reset token to the affected user's mailbox. In the interface you will be prompted to enter the token.

  • By entering any token, the attacker captures the Request and can read a request similar to this one;


  • As our web service does not have the proper protection, the attacker can perform a brute force with Burp Suite tool to guess the 5-digit token, being in the presence of a Broken Authentication attack.

API3 - Broken Object Property Level Authorization

This category of vulnerabilities, combines two vulnerabilities described in the 2019 revision associated with APIs, where we have Excessive Data Exposure and Mass Assignment, basically focused on the manipulation of sensitive information and the exposure of this type of information, referring to the properties of objects.

A simple example of this vulnerability could be the following ;

  • The user enters the card number and the corresponding data to make a purchase.
  • Then this data is sent from the “API gateway” to an “Internal API”. (So far no problem)
  • Upon receiving this data, the API sends a response with much more data than it should send to the user.


API4 - Unrestricted Resource Consumption

Some queries require resources such as bandwidth, CPU consumption, memory and storage and others have this processing capacity relegated to the service providers, since it is very likely that not all the APIs of an application are under the control of the company that develops the application. Many frameworks use third-party APIs and pay for each request, so these attacks are associated with damaging the maintenance costs of these APIs. perjudicar los costos de mantenimiento de esas APIs.

For example:

  • An authentication module has a password recovery form.
  • This password recovery form has an external SMS sending service that incurs a cost for each request that is generated to it.
  • An attacker finds a way to consume this service for free by using this SMS sending for other purposes without the need to present credentials.


API5 - Broken Function Level Authorization

First of all, attackers look for a target that contains two or more types of accounts. It could be a common user in charge of the usual tasks worked on his profile and in another case it could be an administrator user, in charge of having an overview of the whole issue. By capturing several calls to the respective API the attacker finds a hidden parameter that refers to the account type, so he proceeds to change it, allowing access to a function of another user that does not correspond to his tasks.

In summary, within the authorization management, these vulnerable APIs do not correctly control access to functions that correspond to more advanced profiles.


In this image the attacker simply replaces the module users by admin and access all users' information.


API6 - Unrestricted Access to sensitive business flows

When creating an endpoint it is very important to understand which are the most important business flows, usually those that carry the most critical information of the company and operations, so protecting them becomes the main task of every programmer. If these flows are exposed, we could have a medium to critical impact on the operation of the application depending on the business flow that has been exposed through these failures.

Some of the most common examples of exposed business flows are in the following situations:

  • An attacker who has the ability to buy all the products in high demand in the face of application weaknesses, and then sell them at a higher price.
  • Create SPAM in a system that has exposed the flow of comments and/or posts creation.
  • A flow of seat reservations in a movie theater that, when exposed, gives the attacker the possibility to reserve all seats.

As we saw in these three cases, APIs present these vulnerabilities because authentication is not required to use these resources. So it allows a user to bypass the normal flow of the application and go to alternative flows that do not correspond to their natural flow of the application.


Image taken from https://medium.com/


API7 - Server Side Request Forgery

This vulnerability occurs when an API allows server-side HTTP queries to an arbitrary domain chosen by the attacker.

This allows an attacker to connect to internal infrastructure services where the API is hosted and leak sensitive information.

The cases are varied, but let's look at how an attacker could steal a company's AWS keys.

  • Suppose a web request that queries the stock of a product, it looks as follows.
  • In this case, an attacker could modify the query to, instead of asking for product stock data, ask for API metadata and find a list of valid roles.
  • Although initially the API has access restriction so that external queries cannot be made, the query originates from the server. Therefore, the API will respond to the query as if it were authorized to do so.


API8 - Security Misconfiguration

As in web applications, there are bad security configurations in APIs. This occurs when the correct hardening of the platform is not applied or there are misconfigured permissions when deploying them. Among the issues to be reviewed, developers usually omit most security issues due to the lack of automation in the testing stage. Among the possible misconfigurations are the following:

  • Latest patches updated
  • Unnecessary services enabled
  • Lack of controls and/or directives regarding cache memory
  • Lack of policies regarding the use of CORS
  • Mishandling of errors

API9 - Improper Inventory Management

APIs tend to expose more endpoints than traditional web applications, leading developers to create corresponding documentation of the operation of each of the corresponding APIs. The appropriate inventory must be relieved because if the documentation is lost or leaked, attackers could expand their attack surface by maximizing their knowledge of how to handle the exposed services.

This vulnerability, coupled with the lack of protection, becomes the main time bomb associated with these issues. We must always ask ourselves, for each API, if all current endpointsshould be available, in order to apply the principle of least privilege to the entire architecture configuration.


In this image we see the potential complexity of documenting the operation of an architecture that adds different APIs as they are required.


In an example case, let's suppose that we have additionally the following url:

⦁ < http://WEBSITE:5555/api/v2/res//all >

If we pay special attention to the construction of the url we realize that we are working with version 2 of it, an attacker who understands this type of operation could replace the v2 by a v1, to see what modules were available related to the previous version of the API. It often happens that developers restrict modules that they do not use in the new version, but neglect previous versions that could be active as a result of an incorrect survey when building the inventory.

API10- Unsafe Consumption of APIs

Developers tend to receive data from third-party APIs, often those consumptions that are under the orbit of the enterprise architecture do not have a security treatment adequate to the rest of the flows of the application that consumes these services.

Therefore, the neglect of these components generates an interesting attack surface for the cybercriminal's perspective since they can use these resources to damage the operation of the application.


As shown in the image, if we have our API endpoints and they are controlled, for example, by a third-party API Management, an attacker who finds a flaw in this third-party component will be able to breach the entire previously designed architecture. That is why developers have to be constantly aware of the flaws that may exist in the systems that are contracted and outsourced.

Recommendations

When thinking about how to protect ourselves against these issues, we would say that what we need to do is to increase our awareness of the IT assets we deploy when we build an application. It is important to follow the OWASP recommendations regarding each point in order to be able to execute a correct implementation of the APIs and not abuse the potential ignorance of the attackers. We invite you to visit the OWASP API security Project, for more specific solutions in each case. If you liked this post and want us to make one related to the recommendations, leave it in the comments.

Conclusion

The main mistake is first of all to believe that nobody will pay attention to a certain point of our architecture and added to that to believe that security by obscurity (Use of the secret design as a protection measure, security by ignorance) is the most effective mechanism to defend ourselves when in reality, in many occasions the attackers know more than us of our own application.